WordPress Security & Brute Force Attacks

Brute Force attack can be a thorn to every WordPress site owner from time to time.  And with out the proper security on the site and hosting, your website will suffer a quick demise.  What is a Brute Force attack?  Brute force attacks are password guessing attacks on your site.  Invasive scripts and programs are designed to attack your wp-login file, attempting to guess the user and/or password.  The amount of resources that these attacks use drain on your hosting server can be astonishing.  And in some instances, your website will either go offline or you will end up with a compromised WordPress site full of malware.

Within the last 7 days, I have noticed a lot of conversation on social media regarding another wave of Brute Force attacks.  Wordfence has reported that over 6 million brute force attacks occurred within a 16 hour window of time, on a total of 72,000+ websites.  You may think that all of these attacks originate from some foreign country.  However, you would be wrong.  Ukraine and The United States are the top 2 countries of origin for the latest Brute Force attacks.

Password Audit

We always recommend updating all of your WordPress login passwords.  One of the latest features of WordPress, is the generate password feature within the edit profile screen.  It allows you to generate a random password that is mix of letters (lower and capital), special characters, numbers and usually 15+ characters in length.


Login Limits

I always recommend installing the Limit Login Attempts plugin.  Once the plugin is configured, you are able to auto block suspected IP addresses that are attempting to access your admin.  Within a 12 hour period, we were able to block a total of 50 IP addresses on a client site.


 Managed WordPress Hosting

I know we’ve discussed this previously, but it still applies.  Your hosting solution is key for preventing this issue.  There are a several things that specialized hosting solutions can do as a preventive measure against Brute Force attacks.  This became very obvious during a conversation with a support tech with a client’s hosting company.  Their level 1 tech support had no idea of what our staff was requesting.  And to top it off, there is no easy way to reach a level 2/advanced support.  One of the benefits of hosting with a 4Cornerhosting, our security engineers is our support staff.  And we have taken extra steps to prevent Brute Force attacks at the server level.  Regular site scans performed by Securi, allow our staff to monitor the integrity and condition of our servers.  By taking preventive measures at the server level, it allows the WordPress site owners to handle their typical day to day business.